Description
The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-03-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing data extraction
Action: Apply update
AI Analysis

Impact

The WooCommerce Multivendor Marketplace REST API plugin is vulnerable to SQL injection as the ‘id’ parameter in the update_delivery_status() function is not properly escaped or prepared. Authenticated users with Subscriber-level permissions or higher can inject and append arbitrary SQL statements into the existing query. This flaw, identified as CWE‑89, can be used to extract sensitive data from the database, compromising confidentiality and potentially revealing user information or order details.

Affected Systems

The affected product is the WCFM – Multivendor Marketplace REST API for WooCommerce, maintained by wclovers. All versions up to and including 1.6.2 contain the vulnerability. No specific sub‑versions beyond 1.6.2 are listed, so any installation of 1.6.2 or earlier is considered at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity vulnerability. The EPSS score is reported as < 1%, suggesting a low likelihood of exploitation. The vulnerability is not in the CISA KEV catalog. Because the attack requires an authenticated account with at least Subscriber access, attackers may target sites with a large number of vendor or customer accounts. Exploitation would allow unauthorized data extraction from the database without the need for code execution. The likely attack vector is the REST API endpoint that accepts the ‘id’ parameter, as inferred from the description.

Generated by OpenCVE AI on April 21, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to plugin version 1.6.3 or later, where the SQL injection issue has been addressed.
  • Limit the update_delivery_status endpoint to administrator users only, or disable it for Subscriber role users through settings or custom code.
  • Monitor database queries and delivery‑status update logs for suspicious activity and review logs regularly for evidence of exploitation.

Generated by OpenCVE AI on April 21, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7186 The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Mar 2025 06:45:00 +0000

Type Values Removed Values Added
Description The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WooCommerce Multivendor Marketplace – REST API <= 1.6.2 - Authenticated (Subscriber+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:14.581Z

Reserved: 2025-02-14T20:12:02.373Z

Link: CVE-2025-1311

cve-icon Vulnrichment

Updated: 2025-03-24T13:18:43.951Z

cve-icon NVD

Status : Deferred

Published: 2025-03-22T07:15:24.433

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1311

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')